18-1 ©2011, 2008 Pearson Education, Inc. Upper Saddle River, NJ 07458 FORENSIC SCIENCE: An...

18-1©2011, 2008 Pearson Education, Inc. Upper Saddle River, NJ 07458

FORENSIC SCIENCE: An Introduction, 2nd ed.By Richard Saferstein

COMPUTER FORENSICS

Chapter 18



Introduction• Computers have permeated society and are used

in countless ways with innumerable applications.

• Similarly, the role of electronic data in investigative work has realized exponential growth in the last decade.

• The usage of computers and other electronic data storage devices leaves the footprints and data trails of their users.



Introduction• Computer forensics involves the preservation,

acquisition, extraction, and interpretation of computer data.

• In today’s world of technology, many devices are capable of storing data and could thus be grouped into the field of computer forensics.



The Basics• Before getting into the

nuts and bolts of computers, the important distinction between hardware and software must be established.

• Hardware comprises the physical and tangible components of the computer.



The Basics• Software, conversely, is a set of instructions

compiled into a program that performs a particular task. Software are those programs and applications that carries out a set of instructions on the hardware.



Terminology• Computer Case/Chassis: This is the physical

box holding the fixed internal computer components in place.

• Power Supply: PC’s power supply converts the power it gets from the wall outlet to a useable format for the computer and its components.



Terminology• Motherboard: The main circuit board

contained within a computer (or other electronic devices) is referred to as the motherboard.

• System Bus: Contained on the motherboard, the system bus is a vast complex network of wires that serves to carry data from one hardware device to another.



Terminology• Read Only Memory (ROM): ROM chips store

programs called firmware, used to start the boot process and configure a computer’s components.

• Random Access Memory (RAM): RAM serves to take the burden off of the computer’s processor and Hard Disk Drive (HDD).



Terminology– The computer, aware that it may need

certain data at a moments notice, stores the data in RAM.

– RAM is referred to as volatile memory because it is not permanent; its contents undergo constant change and are forever lost once power is taken away from the computer.



Terminology• Central Processing Unit (CPU): The CPU, also

referred to as a processor, is essentially the brains of the computer.

• Input Devices: These devices are used to get data into the computer – To name a few:

• Keyboard• Mouse• Joy Stick • Scanner



Terminology• Output Devices: Equipment through which

data is obtained from the computer. – To name a few:

• Monitor• Printer• Speakers

• The Hard Disk Drive (HDD) is typically the primary location of data storage within the computer.



Terminology• Different operating systems map out (partition)

HDDs in different manners.

• Examiners must be familiar with the file system they are examining.

• Evidence exists in many different locations and in numerous forms on a HDD.

• The type of evidence can be grouped under two major sub-headings: visible and latent data.



Storing and Retrieving Data• The formatting process initializes portions of

the hard drive so that it can store data, and it creates the structure of the file system.

• A sector is the smallest unit of data that a hard drive can address.

• A cluster usually is the minimum space allocated to a file. Clusters are groups of sectors.



Processing the Electronic CS• Processing the electronic crime scene has a lot

in common with processing a traditional crime scene. – Warrants– Documentation– Good Investigation Techniques

• At this point, a decision must be made as to whether a live acquisition of the data is necessary.



Shutdown vs. Pulling the Plug• Several factors influence the systematic

shutdown vs. pulling the plug decision.

• For example, if encryption is being used and pulling the plug will encrypt the data rendering it unreadable without a password or key, therefore pulling the plug would not be prudent.



Shutdown vs. Pulling the Plug• Similarly, if crucial evidentiary data exists in

RAM and has not been saved to the HDD and thus will be lost with discontinuation of power to the system, another option must be considered.

• Regardless, the equipment will most likely be seized.



Forensic Image Acquisition• Now that the items have been seized, the data

needs to be obtained for analysis.

• The computer Hard Disk Drive will be used as an example, but the same “best practices” principals apply for other electronic devices as well.



Forensic Image Acquisition• Throughout the entire process, the computer

forensic examiner must adopt the method that is least intrusive.

• The goal with obtaining data from a HDD is to do so with out altering even one bit of data.



Forensic Image Acquisition• Because booting a HDD to its operating system

changes many files and could potentially destroy evidentiary data, obtaining data is generally accomplished by removing the HDD from the system and placing it in a laboratory forensic computer so that a forensic image can be created.

• Occasionally, in cases of specialized or unique equipment or systems the image of the HDD must be obtained utilizing the seized computer.



Forensic Image Acquisition• Regardless, the examiner needs to be able to

prove that the forensic image he/she obtained includes every bit of data and caused no changes (writes) to the HDD.



Computer Fingerprint• To this end, a sort of fingerprint of the drive is

taken before and after imaging.

• This fingerprint is accomplished through the use of a Message Digest 5 (MD5), Secure Hash Algorithm (SHA) or similar validated algorithm.

• Before imaging the drive the algorithm is run and a 32 character alphanumeric string is produced based on the drive’s contents.



Computer Fingerprint• It then is run against the resulting forensic

image and if nothing changed the same alphanumeric string will be produced thus demonstrating that the image is all-inclusive of the original contents and that nothing was altered in the process.



Visible Data• Visible data is that data which the operating

system is aware of.• Consequently this data is easily accessible to

the user. • From an evidentiary standpoint, it can

encompass any type of user created data like: – word processing documents– spread sheets– accounting records– databases– pictures



Temporary Files and Swap Space• Temporary files, created by programs as a sort

of “back up on the fly” can also prove valuable as evidence.

• Finally, data in the swap space (utilized to conserve the valuable RAM within the computer system) can yield evidentiary data.

• Latent data, on the other hand, is that data which the operating system is not aware of.



Latent Data• Evidentiary latent data can exist in both RAM

and file slack.



Latent Data• RAM slack is the area from the end of the

logical file to the end of the sector.

• File slack is the remaining area from the end of the final sector containing data to the end of the cluster.



Latent Data• Another area where latent data might be found

is in unallocated space. – Unallocated space is that space on a HDD

the operating system sees as empty and ready for data.



Latent Data• The constant shuffling of data through

deletion, defragmentation, swapping, etc., is one of the ways data is orphaned in latent areas.

• Finally, when a user deletes files the data typically remains behind.

• Deleted files are therefore another source of latent data to be examined during forensic analysis.



Internet Cache• Evidence of Internet web browsing typically

exists in abundance on the user’s computer. • Most web browsers (Internet Explorer,

Netscape, and Firefox) utilize a system of caching to expedite web browsing and make it more efficient.

• This web browsing Internet cache is a potential source of evidence for the computer investigator.

• Portions of, and in some cases, entire visited web pages can be reconstructed.

• Even if deleted, these cached files can often be recovered.



Internet Cookies• To appreciate the value of the “cookie” you

must first understand how they get onto the computer and their intended purpose.

• Cookies are placed on the local hard disk drive by the web site the user has visited.

• This is, of course, if the particular web browser being used is set to allow this to happen.

• A cookie is used by the web site to track certain information about its visitors.

• This information can be anything from history of visits or purchasing habits, to passwords and personal information used to recognize the user for later visits.



Internet History• Most web browsers track the history of web page

visits for the computer user. • This is probably done merely for a matter of

convenience. • Like the “recent calls” list on a cell phone, the

Internet history provides an accounting of sites most recently visited, with some storing weeks worth of visits.

• Users have the availability to go back and access sites they most recently visited, just by accessing them through the browser’s history.

• The history file can be located and read with most popular computer forensic software packages.



Bookmarks and Favorite Places• Another way users can access websites quickly is

to store them in their “bookmarks” or “favorite places.”

• Like a pre-set radio station, Internet browsers allow a user to bookmark websites for future visits.

• A lot can be learned from the bookmarked sites of a person. Perhaps you might learn what online news a person is interested in or what type of hobbies he/she has.

• You may also see that person’s favorite child pornography or computer hacking sites bookmarked.



Internet Communications• Computer investigations often begin or are

centered around Internet communication.• It may be:

– a chat conversation amongst many people,– an instant message conversation between just two

individuals,– or the back and forth of an e-mail exchange.

• Human communication has long been a source of evidentiary material.

• Regardless of the type, investigators are typically interested in communication.



Value of the IP address• In our earlier discussion, it was stated that in

order to communicate on the Internet a device needs to be assigned an Internet Protocol (IP) address.

• The IP address is provided by the Internet Service provider from which the device accesses the Internet.

• Thus it is the IP address that might lead to the identity of a real person.

• If an IP address is the link to the identity of a real person, then it would quite obviously be very valuable for identifying someone on the Internet.



IP Address Locations• IP addresses are located in different places for

different mediums of communications. • E-Mail will have the IP address in the header

portion of the mail. – This may not be readily apparent and may require

a bit of configuration to reveal. – Each e-mail client is different and needs to be

evaluated on a case by case basis.

• In the case of an Instant Message or Chat session, the particular provider (the one providing the mechanism of chat - AOL, Yahoo, etc.) would be contacted to provide the users IP address).



Difficulty with IP Addresses• Finding IP addresses may be difficult.

– E-mail can be read through a number of clients or software programs.

– Most accounts offer the ability to access e-mail through a web-based interface as well.

– Often the majority of chat and instant message conversations are not saved by the parties involved.

• Each application needs to be researched and the computer forensic examination guided by an understanding of how it functions.



Hacking• Unauthorized computer intrusion, more

commonly referred to as hacking, is the concern of every computer administrator.

• Hackers penetrate computer systems for a number of reasons. – Sometimes the motive is corporate espionage and

other times it is merely for bragging rights within the hacker community.

– Most commonly though, it is a rogue or disgruntled employee, with some knowledge of the computer network, who is looking to cause damage.

• Despite the motivation, Corporate America is frequently turning to law enforcement to investigate and prosecute these cases.



Locations of Concentration• Generally speaking, when investigating

an unauthorized computer intrusion, investigators will concentrate their efforts in three locations:

– log files

– volatile memory

– network traffic



Logs• Logs will typically document the IP address of

the computer that made the connection. • Logs can be located in several locations on

computer network. • Most servers that exist on the Internet track

connections made to them through the use of logs.

• Additionally the router, ( the device responsible for directing data) might possibly contain logs files detailing connections.

• Similarly, devices known as firewalls might contain log files which list computers that were allowed access to the network or an individual system.



Use of Volatile Data• Many times, in cases of unlawful access to a

computer network, some technique is used by the perpetrator to cover the tracks of his IP address.

• Advanced investigative techniques might be necessary to discover the true identity.

• Where an intrusion is in progress the investigator might have to capture volatile data (data in RAM).

• The data existing in RAM at the time of an intrusion may provide valuable clues into the identity of the intruder, or at the very least the method of attack.

• In the case of the instant message or chat conversation, the data that exists in RAM needs to be acquired.



An Additional Standard Tactic• Another standard tactic for investigating

intrusion cases is documenting all programs installed and running on a system.

• By doing this the investigator might discover malicious software installed by the perpetrator to facilitate entry.

• This is accomplished utilizing specialized software designed to document running processes, registry entries, and any installed files.



Live Network Traffic• The investigator may want to capture live

network traffic as part of the evidence collection and investigation process.

• Traffic that travels the network does so in the form of data packets.

• In addition to containing data these packets also contain source and destination IP addresses.

• If the attack requires two-way communication, as in the case of a hacker stealing data, then it needs to be transmitted back to the hacker’s computer.



Knowledge and Skill• Computer file systems and data structures are

vast and complex.

• Therefore, areas of forensic analysis are almost limitless and constrained only by the knowledge and skill of the examiner.

• With a working knowledge of a computer’s function, how they are utilized, and how they store data, an examiner is on his or her way to begin to locate the evidentiary data.

18-1 ©2011, 2008 Pearson Education, Inc. Upper Saddle River, NJ 07458 FORENSIC SCIENCE: An...

Documents

Transcript of 18-1 ©2011, 2008 Pearson Education, Inc. Upper Saddle River, NJ 07458 FORENSIC SCIENCE: An...